Remember me exception solution for spring security in Java

It is impossible to think about it, the network will not appear occasionally cookie theft attack it. Read the official document, also did not give an explanation, later in Oschina see an analysis of the article, just understand the reason, the article "Who Moved my cookie?" Spring Security Automatic Login feature development experience summary.

From the analysis of this article combined with the source code of Spring secutiy, the token value is updated and written to the cookie after each persistent login checksum token completes. The token checksum verifies the logon information by comparing the strings written to the cookie with the token of the persisted storage. The problem is that there is a failure to write the cookie every time the token is updated, causing the token in the cookie to be the old value, while the persistent store is the new value.

Why does it fail to write cookies after the update token? The author of the article analysis is very in place, ① multithreaded Operation ② Service side occurs 500 exception ③ browser cancellation request and so on.

The authors of the article recommend that you use tokenbasedremembermeservices instead of using persistenttokenbasedremembermeservices, Tokenbasedremembermeservices uses the method of encrypting user name passwords to generate cookies, token is not persisted. The program is adopted by many domestic websites.

First you need to configure remembermeservices in the Applicationcontext.xml file:

The code is as follows	Copy Code
<bean id= "remembermeservices" class= " Org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices "> <property name= "Userdetailsservice" ref= "Adminuserdetailservice"/> <property name= "key" value= "your-key-for-encrypted"/> </bean>

Of course the Userdetailsservice here must be configured, it is usually implemented with a org.springframework.security.core.userdetails.UserDetailsService interface of Java Bean, you can implement it yourself.

Finally, configure the sec:remember-me in the Sec:http tab:

The code is as follows	Copy Code
<sec:remember-me key= "your-key-for-encrypted" services-ref= "Remembermeservices"/>

Then, restart your application and don't worry about cookietheftexception anymore.